Posts tagged Macedonia

October 19, 2017

A lost year” is how Gjorgji Georgievski, Partner at ODI in Macedonia, describes the current state of deal-making in his country. “From April onwards things got really slow because of the culmination of the ongoing political crisis,” he explains, adding: “Since the formation of the new Government in June it was normal for things to calm down but soon after we got into a state of waiting for the local elections which eventually took place on October 15, 2017.

Georgievski is looking forward to the last quarter of 2017, when activity should pick up again. “The market is generally slow, with most investors waiting to see how the political crisis will unfold,” he explains. “We’re really optimistic about Q4 and the early months of next year,” he added, pointing to potential deals in the pipeline ranging from notable acquisitions in the freight forwarding and real estate sectors to potential investments in mining operations and a manufacturing company. “In my specific area however,” the TMT specialist said, “there is not much in particular to report, with the telecommunications market having now consolidated between two players. There are continuous investments in infrastructure but there is nothing really to generate substantial work in the market.”

Uncertainty looms over FDI into Macedonia as well, both due to the ongoing political uncertainty and the new Government’s contemplated change in strategy, Georgievski reports. In the past, he says, the Government was dead-set on attracting foreign investors and would “give them everything but the kitchen sink to have them come into the country.” That plan worked in attracting a number of foreign companies that did employ a few thousand people, he says, but there was little trickle down from there. “These companies didn’t really work a lot with local companies as there was a general lack of capacity,” he explains, “and locals have been complaining about the preferential treatment that the internationals were receiving.” The new strategy retains the concept of attracting these foreign investors, especially tech giants, but aims to minimize the preferential treatment they receive, while also making it harder for the companies coming in to not work with the local ones. He says, “how that would work is, as of now, unclear.”

The legal market itself remains more or less unchanged, with the market leaders the same for a decade now, Georgievski reports. “There are some smaller teams coming up that are trying to take on the whales but I am not seeing much of a dent in their market share just yet.” He adds that one interesting rumor circulating is that several regional firms are looking to open up an office in the market. He opted to not give any names given the unconfirmed nature of the buzz, noting only that it would be a “peculiar development given the situation of the market at the moment.”

September 18, 2017

Gjorgji Georgievski and Ana Stojanovska have contributed the Macedonia chapter to the definitive guide to Telecoms & Media regulation and government policy covering fixed, mobile and satellite services, radio frequency requirements, next-generation mobile services, authorisation timescales and fees, modification and assignment of licences, radio spectrum assignment, cable networks, local loop access, internet regulation, broadband penetration, interconnection and inter-operator disputes, charges and tariffs, customer terms and conditions, media licensing, content and advertising restrictions, exclusivity and ownership restrictions, unsolicited and intercepted communications and competition and merger control.



September 15, 2017

The ELTA is an association of law firms, companies, legal technology providers, start-ups, and individuals in Europe. It regards itself as a platform specifically for the promotion of knowledge about, and the possible application of, technology and software supported solutions in the legal market (legal technology), as well as its use within companies, law firms, start-ups, and other initiatives active in this area.


June 23, 2017

If you would like to learn more about the rules on restrictive agreements and practices in Macedonia, ODI Partner Ana Stojanovska contributed an article to CEE Legal Matters discussing the specifics of whether an agreement or practice is indeed in breach of the Competition Act in Macedonia.

Please visit the following link to access the article.


June 23, 2017

ODI has been named the Best Corporate Law Firm for South East Europe by the Markets Monthly business magazine within its International frontier markets awards for the year 2017. Markets Monthly is magazine covering global business developments and seeks to showcase the latest trends, innovations and challenges within the corporate landscape.

We are very pleased to have received this recognition. We believe it is a result of ODI’s extensive efforts to expand throughout the region. We hope to build on this success and become an even more prominent force in the Adriatic.


May 5, 2017

If you would like to learn more about exports of personal data outside of Macedonia, Gjorgji Georgievski and Simona Kostovska have contributed an article to CEE Legal Matters discussing the specific rules on the exports of personal data set out in the Macedonian Personal Data Protection Act. Please visit the following link to access the article.


April 13, 2016

ODI Macedonia has been ranked by Legal500 2016 as Leading Law Firm, praised for demonstrating both `strength and capability’.

Partners, Gjorgji Georgievski and Ana Stojanovska are featuring among the Recommended Lawyers.

The full results are available here.


October 6, 2015

ODI Law has a firm-wide commitment to pro bono work. We believe that we have a professional responsibility to contribute time, skills and other resources to provide necessary legal services to members of the public who could not otherwise afford them. ODI Law is dedicated to public service in non-legal settings as well and to prove the dedication, we have ventured into art, providing pro bono legal services to emerging artist Milan Andov.

Milan is an inspirational artist with a unique and distinctive style, producing breathtaking art in themes relating to the subconscious and the unconscious extremities of love, rage, hate, and characters displaying their deep psychological state. Milan has received numerous awards for his work which has been described as “art where you feel the soul, heart and mindful interpretations of emotion and sensuality leap from the canvas and draw you into the depths of the composition”.

August 26, 2015

Information and communication technologies (“ICTs”) have radically changed the way of communication and the way of doing business across the European Union. As ICTs and the Internet became the main driver of innovation and economic growth of the European Union, it is important to highlight the importance of the reliability and the security of the networks and information systems used by European governments, businesses and citizens. The network and information security is not just of key importance for the protection of the rights of the European citizens, but also for the functioning of the single digital economy. On one hand, governments and businesses now heavily rely upon the reliable and safe functioning of their network and information systems to provide daily services that are of critical importance to European citizens (e.g. finance, education, healthcare, transport, energy etc.), on the other hand, they have become a vehicle for political and social inclusion and the exercise of the fundamental rights and freedoms of the European citizens.

Network and information security is exposed to various threats that are effectively undermining citizens’ trust and confidence in electronic transactions and are hampering the growth of the digital economy in the European Union. The most recent survey on cyber security in the European Union indicates that cybercrime is the greatest threat to network and information security:

  • a staggering 87% of Europeans still avoid disclosing personal information online;
  • 70% of Europeans are concerned that their online personal information is not kept secure by websites; and
  • 64% of Europeans agree that they are concerned that information is not kept secure by public authorities

European governments and businesses have already deployed certain security measures for the prevention of network and information security incidents; however, most recent statistical data indicate that the levels of cybercrime in Europe are increasing. As a result, the economic losses, which may be attributed to cybercrime attacks and activities, are estimated at a bewildering USD 500 billion at a global level.

2. Proposal for NIS Directive

The prevalence of cybercrime has prompted the European Union to undertake various initiatives for the implementation of measures for the protection of network and information security incidents, especially in relation to critical services. These initiatives included the establishment of the European Network and Information Security Agency (“ENISA”) in 2004, the establishment of the European Programme for Critical Infrastructure Protection (the “ECI Directive”) in 2008, the enactment of the Directive 2013/40/EU (the “Infosys Attacks Directive”) in 2013 (aimed at tackling the increasingly sophisticated and large-scale forms of attacks against information systems11) and other initiatives.

The most recent EU initiative is the proposal for a Directive on Network and Information Security (the “Proposal for NIS Directive”), concerning measures to ensure a high common level of network and information security across the Union. The Proposal for NIS Directive is central to the first European Union Cyber Security Strategy (“EU Cyber Security Strategy”), which foresees the implementation of measures aimed at inter alia drastically reducing cybercrime and establishing a coherent international cyberspace policy for the EU. The Proposal for NIS Directive is a result of the lack of overarching legislation or regulatory requirements covering all Member States and different regulations implemented by different Member States, which ultimately leads to regulatory fragmentation. The European Commission considers that there is a need of regulation of the minimum requirements for capacities building and planning requirements, information sharing and coordination of actions and common security requirements for all market operators and public administrations concerned to be able to respond effectively to challenges of the security of network and information systems.

2.1 Key features of the Proposal for NIS Directive

The aim of the Proposal for NIS Directive is to ensure a common high level of network and information security (NIS) in the European Union, “by requiring the Member States to increase their preparedness and improve their mutual cooperation with each other, and by requiring operators of critical infrastructures, such as energy, transport, and key providers of information society services (e- commerce platforms, social networks, etc.), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.” The key measures foreseen in the Proposal for NIS Directive include imposing a set of requirements on Member States, public administrations and market operators in a view of establishing a trusted network for cyber security information sharing between them. These key measures may be summarised as follows:

  1. Member States are required to adopt a national NIS Strategy (including a national NIS Cooperation Plan) defining the strategic objectives and concrete policy and regulatory measures to achieve and maintain a high level of network and information security.
  2. Member States are required to establish national NIS authorities with the competence to: (i) monitor the application of the NIS Directive on a national level; (ii) receive reports about security incidents from public administrations and market operators; and (iii) consult and cooperate with the relevant law enforcement and data protection authorities.
  1. Member States are required to establish Computer Emergency Response Teams (CERTs) responsible for handling cyber security risk and incidents with the competence to:
    • monitor cyber security incidents on a national level;
    • provide early warnings and alert announcements and disseminate information to relevant stakeholders about cyber security risk and incidents;
    • respond to cyber security incidents;
    • provide dynamic risk management, incident analysis and situational awareness;
    • build broad public awareness of the risks associated with online activities; and
    • organise campaigns on NIS.
  2. National NIS Authorities are required to inter-connect into a single secure Cooperation Network in order to: (i) circulate early warnings on cyber security risk and incidents; (ii) coordinate responses to cyber security risks and incidents; (iii) regularly publish non- confidential information on early warnings and coordinated response on a common website etc.
  3.  Public Administrations & Market operators are required to (i) take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations; (ii) notify to the competent national NIS authority incidents having a significant impact on the security of the core services they provide.

The above summary of the key requirements of the Proposal for NIS Directive indicates that the European Union is (for the first time in its history) taking a centralised regulatory approach in the tackling of cybercrime – very similar to the US approach. The Presidential Executive Order for Improving Critical Infrastructure Cyber Security 13636 of 12 February 2013 also aims to create a US cyber security information-sharing program between the federal agencies and companies and for this purpose it has ordered the implementation of measures that are similar to the ones proposed in the Proposal for a NIS Directive.

2.2 Establishment of a mandatory security incident information-sharing program

The key differences between the Proposal for NIS Directive and the US Cyber Security Framework are that the latter aims to establish a voluntary information-sharing program between the government and companies, and among companies, opposed to the mandatory reporting requirements between the government and the companies, imposed by the Proposal for NIS Directive. Although there are some suspicions whether the US cyber security information-sharing program is going to be voluntary indeed, it is interesting to look at the reasons for the introduction of a mandatory information- sharing program under the Proposal Directive.

It appears that this introduction of mandatory reporting requirements is rooted in the Proposal for NIS Directive’s objective to promote a culture of risk management and information sharing between the public and the private sector, (companies and public administrations), but at the same time, it poses a risk for promotion of a culture of “naming and shaming” of market operators that have experienced a security incident. It is well accepted that the systematic and continuous reporting of security incidents is beneficial in the context of formulating adequate strategies for a response at a national or supranational level. The Proposal for NIS Directive promotes the reporting of security incident as a vehicle for facilitating a culture of collaboration between the private and the public sector and obtaining of timely information about the occurrence, type and time for response to an incident of particular nature. Moreover, it also provides the possibility for public disclosure of information on security incidents by the competent national NIS authorities, if this would be in the public interest.

It appears that the objectives of the Proposal for NIS Directive are focused on gathering as much as detailed information on cyber security incidents and cybercrime trends and promotion of public- private partnership in coordination of proper responses. Consequently, although there is a risk for that, it does not appear that the mandatory reporting requirements are a “name-and-shame exercise”, in order to incentivize companies to deploy adequate protective measures for security incidents and to share information in order to avoid public disclosure of their “weak” cyber security protection.

Although, the reporting requirements are based on the proportionality of risk (risk-based approach), the broad and unclear scope of the Proposal for NIS Directive leaves plenty of room for the European Commission to make use of delegated and implementing acts for determining the security incidents thresholds and for the free interpretation of those acts by the individual Member States. In this context, it is unclear of how are the reporting requirement related to the Proposal for NIS Directive’s objectives. The Proposal for a NIS Directive introduces an obligation for public administrations and companies to report security incidents to the national NIS authorities, which in turn may disclose, or require companies and public administrations to disclose), the information about a particular incident in the public, if that would be in the public interest. Therefore, the mandatory reporting requirements do not facilitate the exchange of information about security incidents among companies, only between governmental authorities and companies, and the public is only to be informed if a security incident affects their interest.

The promotion of the culture of risk management is going to heavily rely upon the capacity and the pro-activity of the designated national NIS authorities to process all of the received security incident reports and to cooperate together with companies in order to coordinate a response. If due to various reasons companies would be discouraged to reporting security incidents (because of high costs for implementation of separate systems) or are over-reporting because of the unclear scope of the Proposal for NIS Directive, this would threaten the primary objective of the Proposal for NIS Directive. It would create a regulatory maze for reporting of security incidents where both the companies and the national NIS authorities would be struggling to actively exchange information and cooperate in order to coordinate a response to cyber crime attacks.

Another, potential problem lies in the imposing of security incident reporting requirements to public administrations. Public administrations hold enormous amounts of personal data and they already have in place appropriate security measures that, presumably, exceed the minimum security measures imposed by the Proposal for NIS Directive. It might be argued that the majority of the security incidents which affect the data stored by public administrations would have to be disclosed to the public, as it would be in the public interest for the European citizens to know that their information have been compromised. However, public administrations hold a lot of information which relate to critical infrastructure (e.g. defence, security) and are classified in accordance with the national legislation, hence they are going to be disclosed the public. As far as security incidents, which might be “reportable” i.e., are not classified under the relevant legislation, it is questionable whether the national NIS authority would be inclined to disclose them to the public, as mater of protecting the public administration’s reputation with the public.

2.2 Security incidents reporting thresholds

It is also important to highlight that the Proposal for NIS Directive does not provide any guidance on the thresholds to be applied on the “incidents that have a significant impact on the security of the core services provided” by market operators. The guidance on the assessment of whether a particular security incident is significant, is left upon the European Commission:

“The Commission shall be empowered to adopt delegated acts concerning the definition of circumstances in which public administrations and market operators are required to notify incidents.

The Commission shall be empowered to define, by means of implementing acts, the formats and procedures applicable for the requirements of public administrations and market operators to notify incidents to the competent national NIS Authorities.”

In this context, the European Banking Federation’s (EBF) concerns about the need for an accurate definition of what would constitute a significant incident are fully legitimate and justified:

“Art 14(2) requires reporting by market operators of ‘incidents having a significant impact on the security of the core services they provide’. The word ‘significant’ needs careful definition in order to determine whether this Directive will achieve its aim: If the requirement includes reporting of incidents with minimal impact to the business of the market operator, then it could drive a culture that is encouraged not to identify incidents. This would be counterproductive, as effective cyber security requires identification and investigation of a wide range of incidents, many of which appear to be insignificant at first sight. It is only by catching such incidents early that material incidents are prevented. We would recommend the limitation of mandatory reporting to just incidents with significant and material impact and this needs to be established within the Directive in order to prevent scope creep in the future.”

The Proposal for NIS Directive’s risk-based approach might be compromised by the lack of a precise definition on what would constitute a “significant” security incident and the lack of thresholds for determination of such significance. The fact that the European Commission is empowered to define the thresholds and the Member States are empowered to provide legally binding guidance on how these should be implemented, creates a high level of legal uncertainty and might potentially cause difficulties in the implementation of the Proposal for NIS Directive in the different Member States.

Depending on the European Commission’s input, Member States might provide substantially different guidance and instructions to public administrations and market operators, depending on the stage of development of network and information security infrastructure and best practices in dealing with security incidents. This might ultimately undermine the main objective of the Proposal for NIS Directive to establish a harmonized European legal framework for reporting of cybersecurity incidents and to discourage market operators to report security incidents which are not significant at all or do not affect a critical service.

Another concern related to the (lack of) reporting thresholds in the Proposal for NIS Directive is that a number of security incidents do not target the market operator’s network and information systems; instead they target their customer’s systems. Although it is safe to assume that any such incidents (if significant subject to the delegated and implementing acts by the European Commission and the further guidance provided by individual Member States), would be subject to the reporting requirements imposed by the Proposal for NIS Directive, it is not entirely clear whether there is such a requirement under the Proposal for NIS Directive.

In the above context, it is reasonable to expect that in case of security incidents targeted against the systems of the market operator’s customers, doubts will arise whether such security incidents should be deemed as significant and whether they should be reported, in accordance with the requirements of the Proposal for NIS Directive.

Gjorgji Georgievski, Partner

April 17, 2015

Getting the Deal Through works with many of the best lawyers and law firms in the world to bring together a unique legal information resource, written by experts on each subject area, in every significant jurisdiction. Their online research platform is used by thousands of law firms, universities, regulators, and corporate counsel at leading multinational organisations as a reliable, first port of call for any legal query worldwide.

The original Q&A comparative series, GTDT now covers over 68 practice areas spanning competition&regulatory, dispute resolution&litigation, tax, white collar crime, IP, corporate, commercial, banking&finance, infrastructure&transport, energy&natural resources, insurance and compliance. Across the entire series, GTDT publishes analysis on more than 150 jurisdictions.

Our Partner Gjorgji Georgievski and Junior Associate Simona Kostovska, both ODI Macedonia, participated in the TMT section and represented ODI Law Firm and prepared answers to the questions regarding Macedonia. Find their contribution on the link below:

 Getting the deal through – Media and Telecoms

Reproduced with permission from Law Business Research Ltd. This article was first published in Getting the Deal Through: Telecoms & Media 2015, (published in March 2015; contributing editors: Laurent Garzaniti and Natasha Good, Freshfields Bruckhaus Deringer LLP). For further information please visit”


Back to top